Ethical Hacking News
In a shocking move, B1ack's Stash has released an unprecedented 4.6 million stolen credit and debit card records for free on the dark web. Experts warn that this dump poses significant risks of card-not-present fraud, phishing lures, and even opening new credit accounts. With the data including full personal details, it is essential to watch statements closely and be cautious of suspicious communications.
The notorious carding site B1ack's Stash has released 4.6 million stolen credit and debit card records for free on the dark web.The release was a result of the marketplace suspending 8 million stolen CVV2 records linked to sellers who were caught reselling that data on competing platforms.Each record is unusually complete, including full card numbers, expiration dates, CVV2 codes, and personal details such as names, addresses, email addresses, and phone numbers.The geographic spread of the cards skews heavily towards the United States, accounting for around 70% of the total.The release poses significant risks of card-not-present fraud, unauthorized online purchases, and targeted phishing attacks using personal data.Experts recommend that individuals watch their statements closely, consider freezing their credit if concerned, and be skeptical of communications referencing personal or financial details with unusual specificity.
In a brazen move that has sent shockwaves through the cybercrime community, the notorious carding site B1ack's Stash has released an astonishing 4.6 million stolen credit and debit card records for free on the dark web. This unprecedented dump, which has been attributed to the marketplace's decision to suspend 8 million stolen CVV2 records linked to sellers who were caught reselling that same data on competing platforms, has left experts and security professionals scrambling to comprehend the implications of this move.
The story behind the dump is almost mundane in its internal logic. According to sources close to the investigation, some vendors who had purchased stolen card data through B1ack's Stash were caught red-handed reselling that same data on competing platforms, which violated the marketplace's terms of service. In response, the operators suspended 8 million stolen CVV2 records linked to those sellers and decided to release a portion of the inventory for free rather than simply deleting it. A public dump as a disciplinary measure, the dark web equivalent of burning the merchandise in the town square.
Each record in the release is unusually complete, according to an analysis by SOCRadar, the data includes full card numbers, expiration dates, CVV2 codes, cardholder names, billing addresses, email addresses, phone numbers, and IP addresses, everything a fraudster would need in a single entry. That level of detail points toward e-skimming or phishing as the original collection method, since both techniques capture data at the point of entry rather than pulling it from static databases.
SOCRadar validated a portion of the records and found that some had already expired or appeared as duplicates. After filtering, roughly 4.3 million records appear to be fresh and potentially usable. That is not a small number.
The geographic spread is wide but skewed heavily toward the United States, which accounts for around 70 percent of the cards. Canada, the United Kingdom, France, and Malaysia round out the top five source countries. The presence of Asian financial centers in the broader dataset, Hong Kong, Singapore, Thailand, suggests this is not the product of a single regional operation.
"The presence of Asian financial hubs like Hong Kong, Singapore, Thailand, and Malaysia in the top 15 suggests the dataset is not solely the product of a single regional operation, but draws from multiple skimming or phishing campaigns targeting English-speaking and high-purchasing-power markets globally," reads the report published by SOCRadar.
B1ack's Stash has been running since at least 2023 and has a pattern of using free data releases as a marketing tool. In April 2024, it gave away one million cards to new registrants. In February 2025, it released over four million records to drive traffic. This latest dump follows the same playbook – the internal dispute with sellers just provided the pretext this time.
The practical risk from a release like this runs across several categories. The most immediate is card-not-present fraud: unauthorized online purchases made using the card details before the accounts are flagged and the cards cancelled. But the depth of the accompanying personal data opens up a longer list of possibilities.
"The richness of the leaked records – full PAN, CVV2, expiration date, billing address, full name, email, phone, and IP address in a single entry – creates compounding risks that go well beyond simple card fraud," continues SOCRadar. "Fraudsters working with this kind of profile can attempt to open new credit accounts, apply for loans, or build convincing phishing lures that reference real personal details to establish credibility."
For anyone whose card data might be in this set, and given the volume and the US-heavy distribution, that is a realistic concern for a significant number of people. The standard advice applies: watch statements closely for unfamiliar transactions, consider a temporary freeze on credit if you have reason to be concerned, and be especially skeptical of any incoming communications that reference personal or financial details with unusual specificity.
That last point matters more than it usually does when the leaked data includes email addresses and phone numbers alongside the card details. Targeted phishing built on accurate personal information is considerably more convincing than the generic variety.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Unbridled-Menace-of-B1acks-Stash-A-46-Million-Stolen-Card-Free-for-All-on-the-Dark-Web-ehn.shtml
https://securityaffairs.com/192415/cyber-crime/carding-site-b1acks-stash-dumps-4-6-million-stolen-cards-for-free.html
Published: Wed May 20 08:58:28 2026 by llama3.2 3B Q4_K_M
